On Mon, Jul 26, 2010 at 10:45 AM, Oliver Lagni <[email protected]> wrote: > Salve,
ciao Oliver > > qualcuno di voi ha già avuto un problema di questo tipo? > > ASA 5520 (8.3) con VPN e indirizzi in overlapping e nat statici 1-1? perche devi utilizzare per forza degli indirizzi in overlapping??? > > Praticamente dalla sede1 riesco a pingare gli indirizzi nattati verso la sede2 > ma non riesco ad accedere ai servizi aperti sui servers (ssh, telnet, etc), > nonostamente non ci siano limitazioni nelle access rules. sicuramente ti troverai in un problema di routing visto che l'host fa un arp request sullo stesso segmento di rete della sorgente > > > IP inside sede 1: 192.168.2.0/24 > IP inside sede 2: 192.168.2.0/24 > > IP outside sede 1: 172.16.254.0/24 > IP outside sede 2: 172.16.253.0/24 > > > ASA-SITE2# sh run nat > nat (inside,outside-wind) source static 192.168.2.20 172.16.253.20 destination > static VPN_L2L_SITE1 VPN_L2L_SITE1 > nat (inside,outside-wind) source static nexus 172.16.253.253 destination static > VPN_L2L_SITE1 VPN_L2L_SITE1 > nat (inside,outside-wind) source static 192.168.2.13 172.16.253.13 destination > static VPN_L2L_SITE1 VPN_L2L_SITE1 > nat (inside,outside-wind) source dynamic any 172.16.253.1 destination static > VPN_L2L_SITE1 VPN_L2L_SITE1 > nat (inside,outside-wind) source dynamic any interface > > > > > ASA-SITE2# sh access-list > access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) > alert-interval 300 > access-list outside-wind_1_cryptomap; 1 elements; name hash: 0x2bedd12d > access-list outside-wind_1_cryptomap line 1 extended permit ip 172.16.253.0 > 255.255.255.0 172.16.254.0 255.255.255.0 (hitcnt=1) 0x5362f721 > access-list outside-wind_access_in; 1 elements; name hash: 0x3c725494 > access-list outside-wind_access_in line 1 extended permit ip any any (hitcnt=0) > 0x1c6f6602 > access-list outside-wind_access_out; 2 elements; name hash: 0xdbc0f90e > access-list outside-wind_access_out line 1 extended permit ip 172.16.253.0 > 255.255.255.0 any (hitcnt=0) 0x6028d9cf > access-list outside-wind_access_out line 2 extended permit ip any any (hitcnt=3) > 0x48e32d81 > access-list inside_access_in; 1 elements; name hash: 0x433a1af1 > access-list inside_access_in line 1 extended permit ip 192.168.2.0 255.255.255.0 > object VPN_L2L_SITE1 0x7d1028b5 > access-list inside_access_in line 1 extended permit ip 192.168.2.0 > 255.255.255.0 172.16.254.0 255.255.255.0 (hitcnt=3) 0x7d1028b5 > > a qualcuno è già successo? > > ho dimenticato qualcosa nella configurazione? > > scusate ma non sono ancora pratico con questa nuova release (8.3). ti conviene intanto secondo me cambiare la configurazione delle network in modo da non avere overlapping tanto piu che se usi una vpn ipsec lan-to-lan e ancora meglio. spero che i miei consigli possano essere utili :) ciao Giulio _______________________________________________ http://www.areanetworking.it http://www.areanetworking.it/blog [email protected] http://ml.areanetworking.it/mailman/listinfo/cug
